ALERT RestApps for FreePBX Distro Purchasers

[wardmundy]

Wondering what you missed by not purchasing RestApps for the FreePBX Distro? Read on...

K.php - a RestApps malicious script

If you were impacted by the restapps security regression a week or two ago, it is possible you were hit with a php script that is currently labeled “k.php” If you want to see if you were compromised by this script, I’ve included some content below that you can check. I do not claim to have...

community.freepbx.org

 

[billsimon]

I thought this vulnerability got discussed here back when it was discovered in mid December.

The worse news is that you were vulnerable if you had restapps installed even if it's not purchased/licensed.

This was fixed in December so unless you go looking for an old copy of the module you should be good now.

 

[wardmundy]

@billsimon Folks were still posting fixes for this as recently as two days ago. Check the link for yourself.

 

[billsimon]

I think they were compromised back in December and didn’t find out until now I’m very familiar with this one after restoring ten FreePBXes for a client who was auto-updating and got that module installed.

 

[progs_00]

OMG! Just read the entire post. This is one hell of a f***up. Practically there is no way to salvage a compromised system and what is left is a clean install. You can't even trust your backups after having installed RestApps!!!

 

[Samot]

A few things about this.

1. This is a regression of an old bug from a couple years back, that was patched.
2. It happened back in December. This post is a bit late to the party.
3. The post referenced here is only one of many that covered this issue.
4. The regression impacted v14, v15 and v16 installs because they don't release updates for v13 anymore.
5. In other threads, not referenced here (or probably even looked at), many people hit this time around with the exploit had v13 boxes.

So really this could have happened, and people would have complained. It would have been all the people that hadn't updated their v13 since the patch was released. To be clear here, Sangoma pushing out a regression was sloppy and never should have happened. At this same time, many people that were hit by this never did the work to fix it the **FIRST** time around a few years back.

Those that keep their boxes updated and try to keep it secure in some fashion got screwed over by this. Those that never did a damn thing since the original bug and its fix on versions of FreePBX that never would have gotten the regression. This is just the result of them being poor admins.

 

[wardmundy]

@Samot: You market FreePBX as a business so you keep current. Many are just end-users, and some of these paid some fly-by-night company (not you!) to set up their "phone system" and the guy then disappeared. So it's a bit more complicated than just "poor admins."

 

[Samot]

Many are just end-users, and some of these paid some fly-by-night company to set up their "phone system" and the guy then disappeared.

If their phone guy disappeared, they discovered they got hacked how? I mean, this could be a valid reason for sure. I'm sure those people who don't have a phone guy or pay attention to their phone system wouldn't even know they were hacked. I am talking about those over the last three months that came into the community looking for a fix for this because they found their box hacked. They had full access to SSH/GUI to determine this. In some cases, rebuilt the box in a few hours after being told to. Don't sound like "just end users".

Now, in my experience over the years, I have found it to be a rarity when I take a job where the end users had their "phone guy disappear" and they actually know how to access the box or what is even happening with it. The majority of the time I have to end up doing recovery steps to get root passwords or access back into the system.

So, if the end user is on v13 (or any really) and hasn't had their system touched in three years or haven't replaced their missing phone guy, a poor admin. Because I never said, "poor PBX admin" I just said "poor admin".

 

[wardmundy]

If I understand what @billsimon alluded to, your site may have gotten compromised if you had automatic module updates turned on and you got this module whether you paid for it or not. Your site was still vulnerable to compromise. Am I missing something??

 

[Samot]

Yes, the part where many people where hit on v13 boxes that no longer get updates. So they couldn't have auto-updated their system to get the regression. To still be exposed on v13 means you never fixed it the first time around.